No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Navigating HIPAA Compliance in the Cloud: Is Google Workspace the Right Fit?

Exploring cloud solutions for HIPAA-covered organizations

by Nick Harrahill
August 15, 2023
in Compliance
Medical professional enters information into electronic medical record

By 2025, an estimated 85% of enterprises will shift to a cloud-first mindset, while others will adopt a hybrid approach where some services are on-premise and others are in the cloud. For organizations that must comply with HIPAA regulations, cloud computing paves the way for a new set of risks. Often, that means finding the right software solution, which could include Google Workspace, from Gmail’s ubiquitousness to Google’s calendar, document storage, video chatting and more. But is Google Workspace a good solution for companies that need to be mindful of HIPAA compliance as they move functions to the cloud? Cybersecurity practitioner Nick Harrahill explores how companies can marry Google’s cloud offerings with HIPAA’s rigid rules.

Is Google Workspace HIPAA compliant? The short answer is yes, at least according to Google itself. Google’s official statement is that it is compliant with HIPAA and compatible with this important compliance framework for protected health information (PHI). 

The longer answer is: Google Workspace Security is noted as HIPAA compliant as long as certain requirements are met. These include the following:

  1. You use a paid Google Workspace version.
  2. You signed a business associate agreement (BAA) with Google.
  3. Your Google Workspace is configured correctly to support HIPAA compliance.

It is important to remember there are some differences in terms of HIPAA compliance between the various paid Google Workspace plans, so simply using a paid version may not be enough to get you compliant. Let’s look at Gmail, for example.

When thinking about making email compliant with HIPAA, organizations need to use end-to-end encryption. This ensures that information contained in emails is secured as it is transmitted across the internet. Google does offer S/MIME email encryption, but S/MIME encryption relies on your organization using the Google Workspace Enterprise plan as documented in Google’s S/MIME administration guide. Without the end-to-end encryption of the Enterprise plan, companies would need to look at a third-party solution.

It is important to understand that between the various plans, there may be limitations to certain types of configurations for getting a HIPAA compliance certification. You can find more on external sharing here.

Understanding your legal agreement

While HIPAA’s regulations apply directly only to covered entities — such as healthcare providers, plans or  clearinghouses —  if these covered entities use the services of another person or business, those third parties must also provide assurances that their actions will not violate patients’ rights.

BAAs provide assurances that PHI information accessible by third parties will be used only for the purposes explicitly defined by the provider who engaged the third party’s services. In the case of organizations using Google Workspace to house information that may contain PHI data, the BAA needs to be signed with Google.

Luckily, Google makes the process to review and accept the agreement fairly easy by signing into the paid Google Workspace account as an administrator and opting into the HIPAA BAA. 

A note on technical support: Tech support provided by Google is not part of the included HIPAA compliant services the company provides, but, of course, your team does not need to disclose PHI to Google during the course of a tech support ticket.

doctor in scrubs holding tablet
Data Privacy

4 Health Care Data Challenges and How to Overcome Them

by Ajay Khanna
June 28, 2018

Read more

Constructing HIPAA compliance in Google Workspace

An important methodology when it comes to ensuring your Google Workspace environment is HIPAA compliant comes down to the people, processes and technology triangle. Google lists a number of core services that can be used by your organization in conjunction with HIPAA and PHI information. Additionally, there may be services in the list below that require certain features or functionality either to be used or not used for PHI purposes as listed.  

  • Gmail
  • Calendar
  • Drive (including Docs, Sheets, Slides and Forms)
  • Tasks
  • Keep
  • Sites
  • Jamboard
  • Hangouts classic (chat messaging features only)
  • Hangouts Chat
  • Hangouts Meet
  • Google Cloud Search
  • Google Groups
  • Google Voice (managed users only)
  • Cloud Identity Management
  • Vault

It is also important to understand that by default, Google Workspace users may have access to other Google services that are not permitted for use with HIPAA PHI. These other Google services that are not listed in the core services and for which Google has not made available a separate BAA are not permitted for use with HIPAA PHI information. These include:

  • YouTube
  • Blogger
  • Google Photos

Google has provided a Google Workspace help guide discussing how you can see the list of additional Google Workspace services as well as how these additional services can be turned off to be HIPAA compliant. 

You can manage different users in your organization by creating organizational units in Google Workspace, segregating users who interact with PHI from users who do not and adjusting the services they see based on the organizational unit they are a member of.

Other important security practices

The better your overall security posture the easier it is to comply with compliance frameworks like HIPAA, regardless of what other services you might use to perform your organizational functions. Here are a few recommended best practices can help secure your Google Workspace environment and protect HIPAA PHI:

  • Enable Two-factor authentication 
  • Monitor account activity
  • Enable role-based access 
  • Control third-party apps, systems and databases

Tags: Cloud ComplianceHealth CareHIPAATechnology
Previous Post

In the IP Economy, How Should Digital-Native Companies Handle Transfer Pricing?

Next Post

Stock Issuers & SEC Taking the Fight to ‘Toxic’ Lenders

Nick Harrahill

Nick Harrahill

Nick Harrahill is an experienced cybersecurity and business leader with industry experience leading security teams and building programs at enterprise companies PayPal and eBay and cybersecurity start-ups Synack, Elevate Security and Spin.AI. Nick is credentialed in both cyber security (CISSP) and privacy (CIPP/US).

Related Posts

a busy office

Reports: Legal & Compliance Investment in GRC Tools Will Jump 50% by 2026 as Legal Workloads Continue to Expand

by Staff and Wire Reports
September 29, 2023

External reporting, officer conduct, compliance & ERM all targets for technological intervention

fednow homepage displayed on mobile device

How Companies Can Get Ahead Using FedNow

by Nick Botha
September 25, 2023

The Federal Reserve’s instant payment system FedNow went live in late July, and dozens of banks and credit unions have...

theater curtain

Comms Surveillance: Everyone Plays a Role in Picking a Vendor

by Harriet Christie
August 29, 2023

Federal regulators’ attention on the use of mobile devices in the financial services industry has companies adopting new technology and...

perpetual motion bird

Continuous Compliance Keeps Organizations From Focusing on the Past

by Alev Viggio
August 21, 2023

What’s more useful to your organization: understanding your compliance posture today or where you stood six months ago? Drata’s Alev...

Next Post
A pair of old boxing gloves

Stock Issuers & SEC Taking the Fight to ‘Toxic’ Lenders

Available SQ
New call-to-action

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment Sanctions SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2023 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
    • On-Demand Webinars: Earn CEUs
  • Subscribe

© 2023 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT